On ether1, I have an IP address of 1.1.1.1/28
On wlan1, I have an IP address of 2.2.2.2/30
OSPF is running on both networks, all IP traffic is being routed, while VLAN traffic is being bridged. Now, I want to block everything that’s not on a VLAN from passing through the bridge (has to be routed). The goal is to eliminate all broadcast traffic.
From what I can tell, the following rules are all that’s needed, but I’m wondering if they’ll cause more problems than they’ll solve.
I’m really needing some help here… I have this set up on one of our towers, and it’s working well enough, but it seems a little wonky… When doing a ping to a host outside the local network, I get ICMP redirects, like the source and next hop are on the same interface…
Oh wait, they ARE on the same interface, go figure… Each interface on the router is configured in a different subnet. OSPF is running on both networks, but uses the bridge as a dynamic interface, even when I attempt to manually configure the psychical interfaces in OSPF.
[admin@LRS_BH] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 172.17.86.97/28 172.17.86.96 ether1
1 172.17.84.194/30 172.17.84.192 backhaul
[admin@LRS_BH] > /routing ospf network print
Flags: X - disabled, I - invalid
# NETWORK AREA
0 172.17.84.192/30 backbone
1 172.17.86.96/28 backbone
[admin@LRS_BH] > /routing ospf interface print
Flags: X - disabled, I - inactive, D - dynamic, P - passive
# INTERFACE COST PRIORITY NETWORK-TYPE AUTHENTICATION AUTHENTICATION-KEY
0 D bridge1 10 1 broadcast none
1 D bridge1 10 1 broadcast none
I really need to have complete, normal, straight routing of L3 traffic while maintaining the ability to bridge VLAN traffic. Can anyone help with this?
Ok, I have a /30 on the wireless
VPLS on the /30
Bridge between ether1 and vpls1
Damned ugly way to do it, but it works!
IP traffic is being routed with no more redirects. YAY!
VLAN traffic is being bridged over the VPLS tunnel. YAY!
Layer3 broadcast traffic is also bridged over VPLS. BOO!
Now, I’m the sort of guy who loves to play with things, and normally, I’m not afraid to break things. However, I’ve already killed 2 routers attempting to figure this out, and I’m not sure I want to risk another until I get some feedback.
How, specifically, do I keep the crap off the bridge? A filter to block all IP traffic scares the crap out of me because ROS behaves as if the IP is bound to the bridge, and not to the physical interface. Behold:
[admin@some_dumb_router] > /ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 aaa.bb.cc.29/32 aaa.bb.cc.29 lo0
1 aaa.bb.cc.218/30 aaa.bb.cc.216 backhaul
2 aaa.bb.cc.177/28 aaa.bb.cc.176 ether1
[admin@some_dumb_router] > /ip arp pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D aaa.bb.cc.180 00:XX:XX:XX:XX:74 bridge1
1 D aaa.bb.cc.179 00:XX:XX:XX:XX:56 bridge1
2 D aaa.bb.cc.217 00:XX:XX:XX:XX:E9 backhaul
3 D aaa.bb.cc.178 00:XX:XX:XX:XX:41 bridge1
If I block non-vlan traffic, won’t that prevent packets from getting to the IP, which ROS treats as being on the bridge rather than on the physical interface?
Unfortunately I haven’t found a way to keep broadcast off of a VPLS tunnel. I guess it wouldn’t be broadcast if it couldn’t go everywhere on a single layer 2 domain.
If you don’t want broadcasts on a backhaul, route.